Metadata page requires style-src hash in CSP #1332
Comments
baszoetekouw
changed the title
|
Note: currently no CSP header is set on engine. |
|
Discussed: On prod, no CSP header is set. We see no reason why this is not set stricter. But when the style-src is restricted, the metadata page does not show properly. So investigate why, and restrict the style-src CSP. |
|
This the (stricter) CSP that we would like to use, if feasible: |
|
As discussed, could not reproduce. Is it possible to include the errors from the browser console? |
|
Using: Header set Content-Security-Policy "default-src 'self'; font-src 'self'; style-src 'self'; script-src 'unsafe-inline' 'self'; img-src 'self' https://.myorg.nl: data:; frame-ancestors 'none'; form-action 'self' https:; base-uri 'none';" Once I add the hashes the errors are gone and the metadata XML is properly styled. We see the same behaviour in Chrome. Firefox is not affected by this at all and will always show a styled metadata XML without console-errors. |
|
Thanks, with that I'm able to reproduce the error. (I still need to change the But as far as I know, this is not something we can fix serverside, as there is no style information in the XML file.
So, server-side, it's impossible to generate a hash. When we add the hash in the error to the csp, that might fix it, but only until chrome updates the render script. In a way, it's working as intended since someone whom the server does not trust (Chrome) is injecting styles into the page. The only reference online I could find is here: So I think the options are:
|
|
The Content-type is not something that can be changed. |
For some reason, the metadata page of engineblock won't display properly in Edge/Chrome without a CSP style-src hash. Investigate why this hapens.
The text was updated successfully, but these errors were encountered: